{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-cloudwatch/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Amazon CloudWatch"],"_cs_severities":["medium"],"_cs_tags":["cloudwatch","aws","logging"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe deletion of Amazon CloudWatch Log Groups, which store operational and security logs for AWS services and custom applications, can significantly impact security monitoring and incident response capabilities. This activity, detected via the 'DeleteLogGroup' API call, can be leveraged by adversaries to conceal malicious activities, disable log forwarding, and generally impede incident response efforts. The focus of this detection is on identifying successful 'DeleteLogGroup' events originating from non-AWS Internal user agents, potentially signifying defense evasion or disruption of logging pipelines. Defenders should prioritize investigation into the source, user agent, and surrounding activity to determine legitimacy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account, potentially through compromised credentials or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing CloudWatch Log Groups to identify targets for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a 'DeleteLogGroup' API call using the AWS CLI, SDK, or console.\u003c/li\u003e\n\u003cli\u003eThe CloudWatch service authenticates and authorizes the request based on the attacker's IAM permissions.\u003c/li\u003e\n\u003cli\u003eIf authorized, the specified Log Group, including all associated log streams and historical log data, is permanently deleted.\u003c/li\u003e\n\u003cli\u003eThe deletion event is recorded in CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eSecurity monitoring pipelines and alerting mechanisms dependent on the deleted log group cease to function.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious activity within the environment becomes more difficult to detect and investigate due to the absence of logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDeletion of CloudWatch Log Groups can severely impair an organization's security posture. The loss of historical log data can hinder forensic investigations and make it difficult to reconstruct attack timelines. Disruption of security monitoring pipelines can lead to delayed detection of ongoing threats. Affected sectors include any organization leveraging AWS for its infrastructure and security logging, with victim counts dependent on the scope of the compromised AWS accounts. The risk score is 47.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS CloudWatch Log Group Deletion\u0026quot; to your SIEM and tune for your environment to detect unauthorized deletions of CloudWatch log groups.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;AWS CloudWatch Log Group Deletion\u0026quot; rule, focusing on the source IP and user agent (\u003ccode\u003esource.ip\u003c/code\u003e, \u003ccode\u003euser_agent.original\u003c/code\u003e) to determine if the deletion was legitimate.\u003c/li\u003e\n\u003cli\u003eEnforce least privilege on \u003ccode\u003elogs:DeleteLogGroup\u003c/code\u003e to restrict which IAM identities can delete log groups.\u003c/li\u003e\n\u003cli\u003eConfigure AWS Config rules to alert on missing or modified log groups to ensure that deletions are detected and investigated promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:22:00Z","date_published":"2024-01-04T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-aws-cloudwatch-log-deletion/","summary":"Detection of Amazon CloudWatch Log Group deletion via the 'DeleteLogGroup' API by non-AWS Internal user agents, potentially indicating defense evasion or disruption of logging pipelines.","title":"AWS CloudWatch Log Group Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-04-aws-cloudwatch-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Amazon CloudWatch","version":"https://jsonfeed.org/version/1.1"}